active-directory-certificate-services
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill contains a vast array of pre-configured command-line instructions for security tools such as
certipy,Certify.exe,ntlmrelayx.py, andPetitPotam.py. These are used to enumerate vulnerabilities, modify Active Directory templates, and perform NTLM relay attacks. - [DATA_EXFILTRATION]: The playbook documents procedures for extracting sensitive cryptographic material and credentials, including Certificate Authority (CA) private keys via
certipy ca -backupand user NT hashes through PKINIT authentication withcertipy auth. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection (Category 8), as it requires the agent to ingest and act upon data retrieved from potentially adversarial Active Directory environments.
- Ingestion points: Data enters the agent's context through the output of enumeration tools like
certipy find,Certify.exe find, andldapsearch(documented in SKILL.md and ADCS_ESC_MATRIX.md). - Boundary markers: Absent. There are no instructions or delimiters directing the agent to ignore or isolate instructions that may be embedded within certificate template names, descriptions, or CA metadata.
- Capability inventory: The agent has access to powerful capabilities including local and network-based command execution, credential extraction, and the ability to modify directory objects across multiple scripts.
- Sanitization: Absent. The skill does not provide methods for validating or sanitizing environment data before it is interpreted by the agent.
Audit Metadata